Considering aggregate portfolio risk is critical for insurance companies—which means it’s important to differentiate between concentration risk and aggregation risk.
Concentration risk is taken on if many entities in your portfolio all share a common dependency, like a third-party vendor. If this third party experiences a cybersecurity vulnerability or incident, it could affect a number of your insureds in a negative way. Aggregation risk, on the other hand, is defined as the financial, resource-based, or reputational impact when a concentration risk leads to an accumulation of losses within your portfolio.
Let’s break that down even further. By not considering aggregation risk in your book of business, you take on the following risk impacts:
Just because a service provider has high concentration risk with your portfolio doesn’t necessarily mean it’s going to result in a bad situation; that depends on the quality of the service provider. For example, let’s say half of your insureds are dependent on a large, widely known web service provider and the other half are dependent on a smaller, lesser-known web service provider. Using Security Ratings, you could find that the large web services company has a score of 600, while the smaller web service provider has a score of 300. If this is the case, the smaller web service provider is going to give you more concern, as the lower rating may be linked to certain cyber vulnerabilities which could result in future issues for your portfolio. This knowledge can also help you focus your efforts in researching the differences between both service providers in more detail. So even though the larger web services company may be contributing to a concentration risk in your portfolio, it might be better for you to concentrate your efforts on the smaller of the two.
As an insurer, you’ll need to aggregate your actual limit exposures. For example, if you’ve written insurance contracts saying you’re willing to take on a certain dollar amount of risk—it’s important to keep in mind what the relative coverages are as well as the dollar limits associated with those coverages. Consider also adding some element of “silent” cyber exposures to this accounting.
You should be prepared for a number of scenarios—from a data breach event, to ransomware, to a business continuity issue, to a service provider outage—that could impact to your insureds and result in losses to your portfolio. These scenarios can hit various coverages within the insurance policy, so the more you understand about the scenario, the better chance you have at accurately modeling the impact.
Running your portfolio through BitSight Discover provides you with concentration risk levels so you can instantly see how many insureds are relying on the same critical IT service providers. This makes it far easier to then determine the criticality of those third parties as it relates to your book of business, leaving you more time to concentrate your efforts on delivering on your underwriting and enterprise risk management strategies.
Companies typically buy several lines of insurance—from property, to general liability, to professional liability. When something goes wrong, it’s common for a company to run to its insurance provider and claim that it has coverage. But...
Policy pricing is something every insurance company and underwriter struggles with at some point. The primary issue is differentiating between the risk an applicant presents and the information you’re given. Let’s take a closer look at how...
Determining whether you should quote or decline a cyber insurance applicant is an extensive and critical process. Typically, the decision is made after gaining an understanding of what the company does, identifying critical application...
© 2018 BitSight Technologies. All Rights Reserved. | Privacy Policy
Contact Us | BitSight Technologies 125 Cambridgepark Drive, Suite 204, Cambridge, MA 02140, 617-245-0469